Skip to content
Latest
Jscrambler npm Compromise Shows Build Pipelines Need Runtime ControlsGhost Phishing Shows Why Email Security Must Follow the BrowserPakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic TargetsBad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority QueueFake Payment SDKs Show Why Dependency Risk Is Credential RiskCritical UniFi Flaws Put Network Control Planes Back in the Patch QueueVidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak ControlsADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity InfrastructureUAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay InfrastructureFortiBleed Shows Firewall Credentials Are Ransomware FuelNetNut and Popa Takedown Shows Residential Proxies Are Now Attack InfrastructureVect and TeamPCP Show Supply-Chain Credentials Are Ransomware FuelOusaban Shows Banking Trojans Are Learning to Hide From SandboxesNUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue

Category Archive

General CTI

189 reports · All intelligence

Bulwark Black cyber threat intelligence filed under General CTI.

General CTI
Jscrambler npm Compromise Shows Build Pipelines Need Runtime Controls
General CTI·

Jscrambler npm Compromise Shows Build Pipelines Need Runtime Controls

A compromised Jscrambler npm release shows why CI/CD package installation and runtime behavior need production-grade controls, credential rotation, and dependency governance.

Cyber Security Blog
Ghost Phishing Shows Why Email Security Must Follow the Browser
Cyber Security Blog·

Ghost Phishing Shows Why Email Security Must Follow the Browser

Ghost phishing hides the real lure until the browser renders it. Here is what SMBs and government contractors should do to defend Microsoft 365 identities.

Chinese Cyber Threat Intelligence
Pakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic Targets
Chinese Cyber Threat Intelligence·

Pakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic Targets

SentinelLabs reporting on rival espionage activity against Pakistani law enforcement is a reminder that public-sector portals, case systems, and citizen-data apps are strategic intelligence targets — even when they are not classified systems.

Cyber Security Blog
Bad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority Queue
Cyber Security Blog·

Bad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority Queue

Bad Epoll CVE-2026-46242 is a Linux kernel epoll race-condition LPE. Here is why SMBs and government contractors should prioritize kernel patching, developer endpoint hardening, and post-compromise controls.

Cyber Security Blog
Fake Payment SDKs Show Why Dependency Risk Is Credential Risk
Cyber Security Blog·

Fake Payment SDKs Show Why Dependency Risk Is Credential Risk

Socket uncovered malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs. Here is what SMBs and government contractors should do now to protect CI secrets, developer machines, and payment integrations.

Cyber Security Blog
Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue
Cyber Security Blog·

Critical UniFi Flaws Put Network Control Planes Back in the Patch Queue

Ubiquiti patched critical UniFi Connect, Talk, Access, Protect, and UniFi OS flaws. Here is what SMBs and government contractors should patch, restrict, and review now.

Cyber Security Blog
Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls
Cyber Security Blog·

Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls

Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.

Cyber Security Blog
ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure
Cyber Security Blog·

ADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity Infrastructure

Mandiant shows how ADFS certificate drift and Machine DPAPI can expose active signing keys. Here is what SMBs and government contractors should do now.

Chinese Cyber Threat Intelligence
UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Chinese Cyber Threat Intelligence·

UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure

Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.

Cyber Security Blog
FortiBleed Shows Firewall Credentials Are Ransomware Fuel
Cyber Security Blog·

FortiBleed Shows Firewall Credentials Are Ransomware Fuel

SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.

Cyber Security Blog
NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure
Cyber Security Blog·

NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure

The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.

Cyber Security Blog
Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel
Cyber Security Blog·

Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel

Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes
Cyber Security Blog·

Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes

Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.

Cyber Security Blog
NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue
Cyber Security Blog·

NUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue

CVE-2026-54161 in Network UPS Tools upsmon shows why UPS monitoring, notification scripts, and power-infrastructure control paths need patching, segmentation, and process monitoring.

Cyber Security Blog
ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane
Cyber Security Blog·

ARToken Shows Microsoft 365 Tokens Are the New BEC Control Plane

Cisco Talos uncovered ARToken, an EvilTokens-linked phishing-as-a-service panel built around Microsoft 365 token theft, device-code phishing, mailbox access, SharePoint operations, and BEC automation. The practical lesson: treat identity tokens, inbox rules, and cloud collaborati

Cyber Security Blog
CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline
Cyber Security Blog·

CitrixBleed Keeps Returning: NetScaler SAML IdP Memory Leaks Need Edge-Control Discipline

Citrix patched CVE-2026-8451, a NetScaler SAML IdP memory overread in the CitrixBleed family. Here is what SMBs and government contractors should do now.

Cyber Security Blog
SimpleHelp Exploitation Shows RMM Is a Credential Control Plane
Cyber Security Blog·

SimpleHelp Exploitation Shows RMM Is a Credential Control Plane

Active exploitation of SimpleHelp CVE-2026-48558 shows why RMM platforms must be treated as privileged credential control planes, not routine support tools.

AI (General)
Leaky iOS AI Apps Show Mobile AI Needs Real API Gateways
AI (General)·

Leaky iOS AI Apps Show Mobile AI Needs Real API Gateways

A study of iOS AI chatbot apps found widespread exposure of API keys, open AI proxy access, and replayable tokens. The fix is not another client-side secret workaround; it is real backend authentication, scoped tokens, monitoring, and key isolation.

Cyber Security Blog
Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access
Cyber Security Blog·

Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access

A DFIR Report case study shows how a fake ManageEngine OpManager download led from BumbleBee and AdaptixC2 to Akira ransomware. The defensive lesson: admin software downloads need control, verification, and monitoring.

Chinese Cyber Threat Intelligence
Water Systems Are Becoming Nation-State Pressure Points
Chinese Cyber Threat Intelligence·

Water Systems Are Becoming Nation-State Pressure Points

Nation-state targeting of water systems shows why exposed OT, weak credentials, remote access, and poor IT/OT segmentation remain practical business risks—not just utility-sector problems.

Cyber Security Blog
Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation
Cyber Security Blog·

Fluentd Vulnerabilities Show Logging Pipelines Need Production-Grade Segmentation

Multiple Fluentd vulnerabilities show why log collectors need segmentation, least privilege, and hostile-input assumptions—not just patching.

Cyber Security Blog
Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
Cyber Security Blog·

Shai Hulud Shows CI/CD Identity Is Production Cloud Identity

Fortinet’s Shai Hulud case study shows how poisoned CI/CD dependencies can become cloud identity compromise, IAM escalation, and Redshift data theft. Here is what SMBs and government contractors should harden now.

AI (General)
Clean Repos Can Still Burn Developer Machines When AI Agents Trust Runtime Setup
AI (General)·

Clean Repos Can Still Burn Developer Machines When AI Agents Trust Runtime Setup

A clean-looking repository can still become dangerous when an AI coding agent follows setup instructions and executes runtime-fetched configuration. Here is how teams should defend developer workflows.

Cyber Security Blog
Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure
Cyber Security Blog·

Splunk Enterprise RCE Shows SIEM Servers Are Tier-Zero Infrastructure

CVE-2026-20253 shows why Splunk and other SIEM platforms need tier-zero hardening: patch quickly, restrict management access, review service accounts, and hunt for suspicious file writes.

Cyber Security Blog
NAIC Breach Shows Why PeopleSoft Internet Exposure Needs Immediate Review
Cyber Security Blog·

NAIC Breach Shows Why PeopleSoft Internet Exposure Needs Immediate Review

NAIC’s PeopleSoft-linked breach is a practical warning for SMBs and government contractors: patch CVE-2026-35273, restrict administrative endpoints, and hunt for attacker staging before extortion begins.

Cyber Security Blog
Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths
Cyber Security Blog·

Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths

Microsoft’s hospitality photo-ZIP campaign shows why front desk, booking, and customer intake workflows need executable-content controls, redirect-chain inspection, and endpoint hunting for unusual Node.js persistence.

Chinese Cyber Threat Intelligence
CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells
Chinese Cyber Threat Intelligence·

CL-STA-1062 Shows Critical Infrastructure Intrusions Still Start With Web Shells

Unit 42’s CL-STA-1062 report shows why defenders should focus on exposed web apps, web shells, tunneling tools, scheduled-task persistence, and egress visibility — not just the TinyRCT malware name.

Cyber Security Blog
Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility
Cyber Security Blog·

Turla’s STOCKSTAY Backdoor Shows Why Espionage Defense Needs Egress Visibility

GTIG’s STOCKSTAY research shows how Turla blends modular .NET malware, WebSocket C2, and diplomatic targeting. Here are the defensive lessons for SMBs and government contractors.

Cyber Security Blog
StrikeShark Shows Loader Malware Is an Edge-Exposure Problem
Cyber Security Blog·

StrikeShark Shows Loader Malware Is an Edge-Exposure Problem

Kaspersky’s StrikeShark research shows how opportunistic exploitation of exposed servers can become a multi-stage SharkLoader and Cobalt Strike intrusion. Here is what SMBs and government contractors should review now.

Cyber Security Blog
MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline
Cyber Security Blog·

MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline

Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.

Cyber Security Blog
SocGholish Takedown Shows Website Trust Is Malware Infrastructure
Cyber Security Blog·

SocGholish Takedown Shows Website Trust Is Malware Infrastructure

Operation Endgame disrupted SocGholish infrastructure, but the defensive lesson is bigger: compromised trusted websites are malware delivery infrastructure.

Cyber Security Blog
Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets
Cyber Security Blog·

Operation Escaneo Shows Latin America’s Edge Devices Are Prime Intrusion Targets

Operation Escaneo shows how financially motivated actors are turning exposed edge devices, tunnels, and privileged service accounts into full intrusion chains across Latin American government and critical infrastructure targets.

AI (General)
Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets
AI (General)·

Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets

Microsoft linked the Mastra AI npm package compromise to North Korean actor Sapphire Sleet. Here is what SMBs and government contractors should do about AI framework supply-chain risk.

Chinese Cyber Threat Intelligence
Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring
Chinese Cyber Threat Intelligence·

Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring

Showboat is a China-linked Linux post-exploitation framework aimed at telecom providers. The lesson for defenders: treat Linux server persistence, dynamic linker abuse, and low-noise C2 as first-class monitoring priorities.

AI (General)
AutoJack Shows AI Browsing Agents Need Localhost Boundaries
AI (General)·

AutoJack Shows AI Browsing Agents Need Localhost Boundaries

Microsoft’s AutoJack research shows how a malicious webpage can abuse an AI browsing agent’s access to localhost services. The defensive lesson: treat agent control planes, MCP servers, and local tool runners like privileged admin surfaces.

Cyber Security Blog
Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review
Cyber Security Blog·

Apache APISIX Auth Bypass Cluster Shows API Gateways Need Plugin-Level Review

Apache disclosed a cluster of APISIX authentication and identity plugin CVEs. The defensive priority is patching, plugin inventory, and validating what backend services trust from the gateway.

Cyber Security Blog
FortiBleed Shows Firewall Patching Is Not Compromise Recovery
Cyber Security Blog·

FortiBleed Shows Firewall Patching Is Not Compromise Recovery

FortiBleed is a reminder that edge firewall patching is necessary, but it does not prove a previously exposed appliance is clean. Defenders need compromise review, credential rotation, and rebuild plans for perimeter devices.

Cyber Security Blog
Vendor-Signed UEFI Apps Show Secure Boot Still Depends on Revocation Hygiene
Cyber Security Blog·

Vendor-Signed UEFI Apps Show Secure Boot Still Depends on Revocation Hygiene

CERT/CC warns that multiple vendor-signed UEFI applications can be abused to bypass Secure Boot before the operating system and EDR controls ever load. For SMBs and government contractors, the fix is not just firmware patching; it is verifying DBX revocation coverage across manag

Cyber Security Blog
SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk
Cyber Security Blog·

SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk

Zscaler ThreatLabz reported that SmartApeSG injected malicious JavaScript into the Okendo Reviews widget, creating downstream exposure across e-commerce sites. Here is what SMBs and government contractors should do about third-party browser code risk.

Cyber Security Blog
Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity
Cyber Security Blog·

Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity

Microsoft research on a Tor-routed crypto clipper shows why defenders should connect USB shortcut execution, script interpreters, localhost proxy activity, and clipboard theft into one investigation path.

AI (General)
Outsider Enterprise Shows AI-Powered Phishing Is Now Industrial Infrastructure
AI (General)·

Outsider Enterprise Shows AI-Powered Phishing Is Now Industrial Infrastructure

The Outsider Enterprise takedown shows AI-powered phishing is now industrial infrastructure. SMBs and government contractors should prioritize phishing-resistant MFA, identity recovery controls, and rapid session revocation.

Cyber Security Blog
Handala’s Cal Water Claim Shows OT Defense Starts With Segmentation
Cyber Security Blog·

Handala’s Cal Water Claim Shows OT Defense Starts With Segmentation

Handala’s California Water Service claim is a reminder that critical-infrastructure defense starts with proving separation between billing systems, telemetry platforms, and operational technology.

Cyber Security Blog
FortiPortal CVE-2026-49938 Shows Network Configuration Data Is a High-Value Target
Cyber Security Blog·

FortiPortal CVE-2026-49938 Shows Network Configuration Data Is a High-Value Target

Fortinet CVE-2026-49938 is a medium-severity FortiPortal API access-control issue, but sensitive network configuration exposure can still give attackers a valuable map of the environment.

Chinese Cyber Threat Intelligence
Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure
Chinese Cyber Threat Intelligence·

Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure

Velvet Ant’s Operation Highland shows why PAM, OpenSSH, jump hosts, and proxy paths deserve the same defensive priority as identity providers and domain controllers.

AI (General)
Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries
AI (General)·

Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries

Zscaler ThreatLabz says the Shai-Hulud campaign has expanded across package ecosystems and introduced prompt-injection tactics aimed at automated AI security triage. The defense lesson is simple: treat package content as hostile input, even when an LLM is doing the review.

Cyber Security Blog
Maine Breach Portal Hoax Shows Disclosure Systems Need Verification Controls
Cyber Security Blog·

Maine Breach Portal Hoax Shows Disclosure Systems Need Verification Controls

Maine took its public breach notification database offline after fake disclosures were published. The lesson for SMBs and government contractors: public trust workflows need verification, moderation, and correction controls.

Cyber Security Blog
Portainer CVE-2026-33590 Shows Container Admin Tools Need Least Privilege Defaults
Cyber Security Blog·

Portainer CVE-2026-33590 Shows Container Admin Tools Need Least Privilege Defaults

intWave disclosed CVE-2026-33590 in Portainer, where insecure default Docker security settings could let regular users escalate toward host takeover. Here is what SMBs and government contractors should lock down.

AI (General)
MaXSS and Spyder Show AI Browser Extensions Are an Endpoint Risk
AI (General)·

MaXSS and Spyder Show AI Browser Extensions Are an Endpoint Risk

Rebora disclosed MaXSS and Spyder, two critical flaws in AI browser-extension side panels. The lesson for SMBs and government contractors: browser extensions are endpoint software with identity-session reach and need governance.

Cyber Security Blog
ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface
Cyber Security Blog·

ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface

GTIG and Mandiant report active ShinyHunters exploitation of Oracle PeopleSoft CVE-2026-35273. Here is what defenders should lock down, hunt, and segment now.

AI (General)
LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface
AI (General)·

LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface

Check Point Research disclosed LangGraph checkpointer flaws that could turn user-controlled state-history filters into SQL injection, unsafe deserialization, and remote code execution. The lesson for SMBs and government contractors: AI agent memory is application infrastructure,

Cyber Security Blog
IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk
Cyber Security Blog·

IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk

A reported IMA Diligence breach affecting more than 525,000 people shows why legacy third-party servers need ownership, monitoring, decommissioning, and data-risk review.

Cyber Security Blog
C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem
Cyber Security Blog·

C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem

Fortinet researchers detailed C0XMO, a Gafgyt variant spreading through DD-WRT and other exposed devices. Here is what SMBs and government contractors should lock down before compromised routers become DDoS infrastructure.

Cyber Security Blog
SolarWinds Serv-U Exploitation Shows File Transfer Availability Is Security
Cyber Security Blog·

SolarWinds Serv-U Exploitation Shows File Transfer Availability Is Security

CISA added actively exploited SolarWinds Serv-U CVE-2026-28318 to KEV. Here is what SMBs and government contractors should do about file-transfer availability risk.

Cyber Security Blog
Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls
Cyber Security Blog·

Pink Extortion Shows Microsoft 365 Defense Starts With Vishing Controls

Unit 42 is tracking Pink / CL-CRI-1147, a Com-affiliated extortion brand using vishing, credential theft, and Microsoft 365 data exfiltration. Here is what SMBs and government contractors should lock down now.

AI (General)
ChatGPT Lockdown Mode Shows Prompt Injection Defense Is About Egress Control
AI (General)·

ChatGPT Lockdown Mode Shows Prompt Injection Defense Is About Egress Control

OpenAI’s ChatGPT Lockdown Mode is a useful reminder that prompt-injection defense is not just about model behavior. It is about limiting outbound paths, connector permissions, and tool access around sensitive work.

Cyber Security Blog
PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching
Cyber Security Blog·

PAN-OS GlobalProtect Exploitation Shows VPN Access Needs Log Review, Not Just Patching

Unit 42 reports active exploitation attempts against PAN-OS GlobalProtect CVE-2026-0257. Defenders should patch, but also review VPN sessions, authentication override cookie behavior, and edge-device telemetry for signs of unauthorized access.

Cyber Security Blog
UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms
Cyber Security Blog·

UNC3753 Brings Vishing, RMM Abuse, and Physical Intrusions to U.S. Law Firms

Mandiant reports that UNC3753, also known as Luna Moth / Silent Ransom Group, is targeting U.S. law firms and professional services with vishing, RMM abuse, rapid data theft, and suspected physical office intrusions. Here is what SMBs and government contractors should lock down n

Cyber Security Blog
Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review
Cyber Security Blog·

Cisco SD-WAN Zero-Day Shows Edge Controllers Need Compromise Review

Cisco says CVE-2026-20245 has been exploited against Catalyst SD-WAN Manager. Defenders should preserve evidence, review controller logs, validate edge-device configuration, and restrict management-plane access.

AI (General)
Agentic AI Failure Modes Show Why AI Tools Need Supply-Chain Controls
AI (General)·

Agentic AI Failure Modes Show Why AI Tools Need Supply-Chain Controls

Microsoft’s updated agentic AI failure-mode taxonomy turns AI agents into a practical security architecture problem: plugins, prompts, memory, browser use, and human approvals all need controls.

Cyber Security Blog
Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI
Cyber Security Blog·

Error 524 Smishing Shows Why Fraud Infrastructure Needs CTI

Group-IB documented a global smishing operation using fake error pages, geofencing, and encrypted WebSocket exfiltration. Here is what SMBs and government contractors should take from it.

Cyber Security Blog
Fuel Tank Gauge Attacks Show Why Small OT Still Needs Internet Exposure Control
Cyber Security Blog·

Fuel Tank Gauge Attacks Show Why Small OT Still Needs Internet Exposure Control

Federal agencies warn that attackers are compromising internet-exposed automatic tank gauge systems. The lesson for SMBs, fuel operators, farms, logistics firms, and gov contractors is simple: small OT is still operational infrastructure.

Cyber Security Blog
Stock Exchange Mailbox Espionage Shows Executive Email Is Strategic Infrastructure
Cyber Security Blog·

Stock Exchange Mailbox Espionage Shows Executive Email Is Strategic Infrastructure

A five-month espionage campaign against a stock exchange executive mailbox shows why senior email accounts need privileged-asset controls, cloud exfiltration monitoring, and scheduled-task hunting.

Chinese Cyber Threat Intelligence
TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure
Chinese Cyber Threat Intelligence·

TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure

Proofpoint’s TA4922 reporting shows how localized HR, payroll, tax, and invoice lures can become full initial-access infrastructure through DLL sideloading, loaders, RATs, RMM tools, and browser credential theft.

Cyber Security Blog
Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary
Cyber Security Blog·

Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary

A Red Hat Cloud Services npm compromise shows why signed releases and trusted publishing must be paired with install-time controls, CI/CD isolation, and fast credential rotation.

AI (General)
AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem
AI (General)·

AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem

Sophos observed ransomware-linked operators using AI-assisted development workflows to accelerate EDR evasion testing and Active Directory discovery. The defensive lesson: validate controls, harden identity, and monitor behavior before attackers iterate around your tooling.

Cyber Security Blog
FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware
Cyber Security Blog·

FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware

Unit 42’s FlutterBridge research shows macOS malvertising evolving from adware into FlutterShell backdoor delivery. Here is what SMBs and government contractors should tighten first.

Chinese Cyber Threat Intelligence
Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter
Chinese Cyber Threat Intelligence·

Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter

Mustang Panda’s fake browser updater chain shows why defenders still need to hunt LNK-to-PowerShell execution, DLL sideloading, user-context persistence, and suspicious HTTPS beaconing.

Cyber Security Blog
FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System
Cyber Security Blog·

FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System

Attackers are abusing CVE-2026-35616 in FortiClient EMS to push a credential stealer through trusted endpoint management workflows. Here is what defenders should check first.

AI (General)
Meta AI Support Bot Abuse Shows Account Recovery Is Part of the Identity Perimeter
AI (General)·

Meta AI Support Bot Abuse Shows Account Recovery Is Part of the Identity Perimeter

Attackers reportedly abused Meta’s AI support assistant during Instagram account recovery. The lesson for SMBs and contractors: recovery workflows are identity infrastructure and need MFA, monitoring, and guardrails.

Cyber Security Blog
SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise
Cyber Security Blog·

SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise

SolyxImmortal combines persistence, browser credential theft, document collection, screenshots, keylogging, and webhook exfiltration. Here is what SMB and government-contractor defenders should do about it.

Chinese Cyber Threat Intelligence
Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting
Chinese Cyber Threat Intelligence·

Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting

Lumen and PwC reporting on Showboat, Red Lamassu, and JFMBackdoor shows how China-linked telecom intrusions combine Linux footholds, proxying, and Windows backdoors. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
WP Maps Pro Exploitation Shows Why Plugin Support Features Need Security Review
Cyber Security Blog·

WP Maps Pro Exploitation Shows Why Plugin Support Features Need Security Review

Attackers are exploiting CVE-2026-8732 in WP Maps Pro to create rogue WordPress administrator accounts. Here is what SMBs and contractors should patch, audit, and verify.

Cyber Security Blog
SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses
Cyber Security Blog·

SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses

SideCopy/APT36 targeted Afghanistan finance officials with Pashto-language lures and XenoRAT. Here is what SMBs and government contractors should take from the campaign.

Cyber Security Blog
Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload
Cyber Security Blog·

Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload

Microsoft found 33 malicious npm packages abusing dependency confusion to profile developer and build environments. The defender lesson: treat package installation as code execution and lock down internal namespace hygiene before attackers do reconnaissance at scale.

Cyber Security Blog
MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary
Cyber Security Blog·

MediaInfoLib Parser Bugs Show File Metadata Is an Execution Boundary

Cisco Talos disclosed four patched MediaInfoLib heap-based buffer overflow vulnerabilities. The bigger lesson: automated media metadata parsing belongs inside a sandboxed, monitored execution boundary.

AI (General)
Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access
AI (General)·

Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access

Microsoft reported a cryptojacking campaign that uses poisoned search results, AI-surfaced software recommendations, fake utility downloads, and abused ScreenConnect access. Here is what SMBs and government contractors should defend first.

Cyber Security Blog
LiteSpeed cPanel KEV Shows Shared Hosting Is Privilege Escalation Terrain
Cyber Security Blog·

LiteSpeed cPanel KEV Shows Shared Hosting Is Privilege Escalation Terrain

CISA added CVE-2026-48172 to KEV after active exploitation of a LiteSpeed cPanel user-end plugin flaw that can let compromised hosting accounts execute scripts as root.

Cyber Security Blog
Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield
Cyber Security Blog·

Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield

The Megalodon GitHub campaign shows why CI/CD pipelines must be treated like production infrastructure: malicious workflow commits can harvest cloud credentials, OIDC tokens, SSH keys, and package secrets at scale.

Cyber Security Blog
Chinese-Language PhaaS Shows MFA Bypass Is Becoming Real-Time Fraud
Cyber Security Blog·

Chinese-Language PhaaS Shows MFA Bypass Is Becoming Real-Time Fraud

Google’s reporting on Chinese-language phishing-as-a-service shows why MFA bypass, real-time OTP interception, and digital wallet fraud require phishing-resistant authentication and session monitoring.

Cyber Security Blog
KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius
Cyber Security Blog·

KnowledgeDeliver RCE Shows Shared Machine Keys Are Shared Blast Radius

Mandiant’s KnowledgeDeliver CVE-2026-5426 report shows how shared ASP.NET machine keys can turn ViewState into unauthenticated RCE and user-facing malware delivery.

Cyber Security Blog
Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized
Cyber Security Blog·

Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized

A Laravel-Lang package compromise shows why trusted dependency tags, Composer autoload behavior, and runtime secrets need security monitoring—not just engineering review.

Cyber Security Blog
Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven
Cyber Security Blog·

Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven

The South Staffordshire Water breach shows why outsourced SOC coverage, legacy server risk, and vulnerability management must be proven—not assumed—for SMBs, utilities, and government contractors.

Cyber Security Blog
ROADtools Abuse Shows Cloud Identity Is the New Attack Surface
Cyber Security Blog·

ROADtools Abuse Shows Cloud Identity Is the New Attack Surface

Unit 42’s ROADtools research shows why Microsoft Entra ID token abuse, rogue device registration, and Graph API enumeration need to be treated as core incident-response signals for SMBs and government contractors.

Cyber Security Blog
Drupal CVE-2026-9082 Shows Web Asset Inventory Is Emergency Response
Cyber Security Blog·

Drupal CVE-2026-9082 Shows Web Asset Inventory Is Emergency Response

Drupal CVE-2026-9082 is already being scanned and exploited in the wild. The lesson for SMBs and government contractors: know where your Drupal sites are, verify PostgreSQL exposure, patch fast, and review logs before probing turns into compromise.

Cyber Security Blog
Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling
Cyber Security Blog·

Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling

Check Point Research reports that IRGC-affiliated Nimbus Manticore resurfaced with fake Zoom and SQL Developer lures, SEO poisoning, AppDomain hijacking, and a new MiniFast backdoor. Here is what SMBs and government contractors should tighten first.

Cyber Security Blog
F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths
Cyber Security Blog·

F5-to-Confluence Intrusion Shows Edge Devices Are Identity Attack Paths

Microsoft analyzed an intrusion where an F5 BIG-IP edge appliance led to Linux access, Confluence compromise, credential theft, and identity relay attempts. Here is what SMBs and government contractors should tighten first.

Cyber Security Blog
Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface
Cyber Security Blog·

Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface

Iran-nexus Screening Serpens used recruitment and meeting lures, new RAT variants, and .NET AppDomainManager hijacking. Here is what SMBs and government contractors should tighten now.

Cyber Security Blog
Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT
Cyber Security Blog·

Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT

The alleged Kimwolf botmaster arrest is a useful reminder for SMBs and government contractors: DDoS resilience starts with asset visibility, upstream protection, and hardening forgotten IoT and edge devices.

Cyber Security Blog
TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default
Cyber Security Blog·

TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default

TamperedChef-style malware hides inside convincing signed productivity apps. Here is what SMBs and government contractors should do about it.

AI (General)
Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface
AI (General)·

Patriot Bait Shows AI-Enabled Fraud Can Turn Trust Into Attack Surface

Trend Micro’s Patriot Bait research shows how one operator used AI assistance, social trust, WordPress credential attacks, and crypto fraud infrastructure to scale a low-cost cybercrime operation.

Cyber Security Blog
Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize
Cyber Security Blog·

Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize

Mini Shai-Hulud’s @antv npm compromise shows why dependency malware should be treated as a CI/CD credential-theft threat, not just a package hygiene problem.

Cyber Security Blog
ExifTool CVE-2026-3102 Shows Image Metadata Belongs in the Threat Model
Cyber Security Blog·

ExifTool CVE-2026-3102 Shows Image Metadata Belongs in the Threat Model

CVE-2026-3102 in ExifTool shows why image metadata processing should be patched, isolated, and monitored like any other untrusted file-ingest path.

Cyber Security Blog
P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure
Cyber Security Blog·

P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure

Fortinet observed P2Pinfect infections inside GKE clusters where exposed Redis instances became long-lived botnet footholds. For SMBs and government contractors, the lesson is clear: cloud misconfiguration, runtime visibility, and egress monitoring matter as much as patching.

Cyber Security Blog
Verizon DBIR 2026 Shows Vulnerability Exploitation Is Now the Breach Priority
Cyber Security Blog·

Verizon DBIR 2026 Shows Vulnerability Exploitation Is Now the Breach Priority

Verizon’s 2026 DBIR shows vulnerability exploitation overtaking credential abuse as the top breach access vector. Here is what SMBs and government contractors should fix first.

Cyber Security Blog
Fox Tempest Shows Code Signing Trust Can Be Weaponized
Cyber Security Blog·

Fox Tempest Shows Code Signing Trust Can Be Weaponized

Microsoft disrupted Fox Tempest, a malware-signing-as-a-service operation that helped ransomware crews make malicious binaries look trusted. Here is what SMBs and government contractors should review now.

Cyber Security Blog
CISA GovCloud Leak Shows Secret Scanning Cannot Be Optional
Cyber Security Blog·

CISA GovCloud Leak Shows Secret Scanning Cannot Be Optional

A reported CISA contractor GitHub leak shows why secret scanning, token rotation, and CI/CD hardening need to be enforced controls, not optional developer hygiene.

Cyber Security Blog
Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware
Cyber Security Blog·

Storm-2949 Shows Cloud Breaches Start With Identity, Not Malware

Microsoft’s Storm-2949 case study is a clean warning for SMBs and government contractors: once cloud identity and control-plane access are compromised, attackers can steal data without deploying traditional malware.

AI (General)
AI Agent Governance Is Becoming a Security Control, Not a Nice-to-Have
AI (General)·

AI Agent Governance Is Becoming a Security Control, Not a Nice-to-Have

AI agents now operate with real credentials inside business systems. Here is how SMBs and government contractors should govern identity, authority, action, and evidence before agentic workflows become unmanaged risk.

AI (General)
SGLang RCE Flaws Show AI Inference Servers Need Real Network Isolation
AI (General)·

SGLang RCE Flaws Show AI Inference Servers Need Real Network Isolation

CERT/CC disclosed three SGLang vulnerabilities affecting AI inference deployments, including remote code execution and path traversal risks. Here is what SMBs and government contractors should do now.

Cyber Security Blog
Grafana GitHub Token Breach Shows Why Source Code Access Needs Guardrails
Cyber Security Blog·

Grafana GitHub Token Breach Shows Why Source Code Access Needs Guardrails

Grafana disclosed unauthorized GitHub access tied to a leaked token and codebase download. Here is what SMBs and government contractors should tighten around source-code access, CI/CD tokens, and extortion readiness.

Cyber Security Blog
node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls
Cyber Security Blog·

node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls

Malicious node-ipc npm releases turned a package update into a credential-exposure event. Here is what SMBs and government contractors should check first.

Cyber Security Blog
Exchange OWA Zero-Day Shows Why Email Servers Need Emergency Mitigation
Cyber Security Blog·

Exchange OWA Zero-Day Shows Why Email Servers Need Emergency Mitigation

CISA added Microsoft Exchange Server CVE-2026-42897 to KEV after evidence of active exploitation. For SMBs and government contractors, the lesson is simple: internet-facing email infrastructure needs emergency mitigation playbooks before the patch lands.

Cyber Security Blog
Device Code Phishing Turns Legitimate Login Flows Into Token Theft
Cyber Security Blog·

Device Code Phishing Turns Legitimate Login Flows Into Token Theft

Device code phishing is scaling because it abuses legitimate OAuth flows instead of simply stealing passwords. Here is what SMBs and government contractors should review now.

Cyber Security Blog
Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority
Cyber Security Blog·

Recent Linux Kernel Exploits Make Attack Surface Reduction a Practical Priority

Recent Linux kernel exploit discussions show why SMBs and government contractors should reduce unused modules and services, not just wait for patches.

Cyber Security Blog
PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight
Cyber Security Blog·

PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight

FortiGuard Labs reports PureLogs is being delivered through PawsRunner steganography. Here is what SMBs and government contractors should watch for defensively.

Cyber Security Blog
BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough
Cyber Security Blog·

BlackFile Vishing Campaign Shows Why MFA Alone Is Not Enough

GTIG reports UNC6671 / BlackFile is using vishing, AiTM phishing, and SaaS data theft to extort organizations. Here is what SMBs and government contractors should harden now.

Cyber Security Blog
Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets
Cyber Security Blog·

Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets

Unit 42 reports Gremlin Stealer has evolved with resource-file obfuscation, session hijacking, Discord token theft, and crypto clipboard fraud. Here is what SMBs and government contractors should do defensively.

Cyber Security Blog
Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review
Cyber Security Blog·

Cisco SD-WAN Exploitation Shows Edge Controllers Need Emergency Review

Cisco Talos reports active exploitation of Catalyst SD-WAN authentication bypass and related vulnerabilities. Here is what SMBs and government contractors should prioritize now.

Cyber Security Blog
Kazuar Shows Russian Espionage Malware Is Engineering for Resilience
Cyber Security Blog·

Kazuar Shows Russian Espionage Malware Is Engineering for Resilience

Microsoft reports that Kazuar, attributed to Russian state actor Secret Blizzard, has evolved into a modular P2P botnet. Here is what SMBs and government contractors should take from it defensively.

AI (General)
Exposed AI Apps Turn Misconfiguration Into RCE Risk
AI (General)·

Exposed AI Apps Turn Misconfiguration Into RCE Risk

Microsoft warns that publicly exposed AI apps, MCP servers, and Kubernetes-hosted agent tooling can turn weak defaults into practical paths for RCE, credential theft, and data exposure.

Cyber Security Blog
May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs
Cyber Security Blog·

May 2026 Patch Tuesday: How SMBs Should Prioritize 132 Microsoft CVEs

Microsoft’s May 2026 Patch Tuesday shipped 132 CVEs. Here is how SMBs and government contractors should prioritize identity, server, and Office risks first.

Cyber Security Blog
The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem
Cyber Security Blog·

The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem

Check Point’s look inside The Gentlemen ransomware operation is a useful reminder for SMBs and government contractors: exposed edge appliances, weak identity controls, and unmanaged remote access paths still drive real ransomware risk.

Cyber Security Blog
JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification
Cyber Security Blog·

JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification

Attackers swapped selected JDownloader website download links with malicious installers. Here is what SMB and government-contractor defenders should do about trusted-download risk.

AI (General)
Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here
AI (General)·

Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here

A fake OpenAI Privacy Filter repository on Hugging Face delivered Windows infostealer malware. Here is what SMB and gov-contractor defenders should take from it.

AI (General)
MCP Server Command Injection Shows Why AI Tools Need Real Isolation
AI (General)·

MCP Server Command Injection Shows Why AI Tools Need Real Isolation

A critical GitHub advisory for @profullstack/mcp-server shows how unsafe AI tool endpoints can turn domain lookup functionality into unauthenticated remote code execution.

Cyber Security Blog
Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now
Cyber Security Blog·

Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now

Microsoft is tracking active Dirty Frag Linux privilege escalation activity. Here is what SMB and gov-contractor defenders should prioritize now.

AI (General)
Prompt Injection Just Became an RCE Problem for AI Agents
AI (General)·

Prompt Injection Just Became an RCE Problem for AI Agents

Microsoft disclosed Semantic Kernel vulnerabilities showing how prompt injection can cross into code execution when AI agents are connected to unsafe tools. Here is what defenders should review now.

Cyber Security Blog
PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review
Cyber Security Blog·

PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review

Unit 42 reports limited exploitation of CVE-2026-0300, a PAN-OS Captive Portal zero-day. Here is what SMB and government-contractor defenders should check now.

Cyber Security Blog
PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft
Cyber Security Blog·

PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft

SentinelLabs reported PCPJack, a cloud-focused worm that evicts TeamPCP artifacts, steals credentials from exposed infrastructure, and spreads across cloud systems.

General CTI
Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges
General CTI·

Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges

Cisco has released emergency security updates to patch a critical authentication bypass vulnerability in its Integrated Management Controller (IMC), a critical component embedded on the motherboard of Cisco UCS C-Series and E-Series servers that provides out-of-band management ca

General CTI
UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz
General CTI·

UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz

Cisco Talos has disclosed a large-scale automated credential harvesting campaign carried out by a threat cluster they are tracking as “UAT-10608.” The systematic exploitation campaign leverages a custom framework called “NEXUS Listener” to target Next.js applications vulnerable t

General CTI
ShinyHunters Breaches European Commission: 350GB of Sensitive Data Exfiltrated from AWS Cloud
General CTI·

ShinyHunters Breaches European Commission: 350GB of Sensitive Data Exfiltrated from AWS Cloud

The European Commission has confirmed a significant data breach after its Europa.eu web platform was compromised in a cyberattack claimed by the notorious ShinyHunters extortion gang. The attackers allegedly exfiltrated over 350GB of sensitive data from the Commission’s Amazon We

General CTI
Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager
General CTI·

Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager

Oracle has released an emergency out-of-band security patch for a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. Tracked as CVE-2026-21992 with a CVSS v3.1 score of 9.8, this flaw allows attackers to

General CTI
TeamPCP Spreads Trivy Supply Chain Attack to Docker Hub and Kubernetes with Devastating Wiper Payload
General CTI·

TeamPCP Spreads Trivy Supply Chain Attack to Docker Hub and Kubernetes with Devastating Wiper Payload

The cybersecurity community is reeling from an escalating supply chain attack targeting Trivy, Aqua Security’s popular open-source vulnerability scanner with over 33,800 GitHub stars. The threat actor known as TeamPCP has expanded their campaign from compromised GitHub Actions to

AI (General)
Unit 42 Warns: AI Agents Could Enable Gift Card Theft and Returns Fraud at Scale
AI (General)·

Unit 42 Warns: AI Agents Could Enable Gift Card Theft and Returns Fraud at Scale

Palo Alto Networks’ Unit 42 has published new research examining how the rise of “agentic commerce” – AI agents that autonomously browse, shop, and transact on behalf of users – could be exploited by cybercriminals to conduct retail fraud at unprecedented scale. Read the full res

AI (General)
CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure
AI (General)·

CVE-2026-33017: Critical Langflow AI Framework Vulnerability Exploited Within 20 Hours of Disclosure

A critical vulnerability in Langflow, the popular open-source visual framework for building AI agents and RAG pipelines, was weaponized by threat actors within just 20 hours of public disclosure—before any proof-of-concept code was publicly available. The Vulnerability Tracked as

General CTI
DoJ Disrupts Four Massive IoT Botnets Behind Record-Breaking 31.4 Tbps DDoS Attacks
General CTI·

DoJ Disrupts Four Massive IoT Botnets Behind Record-Breaking 31.4 Tbps DDoS Attacks

The U.S. Department of Justice announced a major law enforcement operation to disrupt four IoT botnets — AISURU, Kimwolf, JackSkid, and Mossad — responsible for record-breaking distributed denial-of-service (DDoS) attacks reaching 31.4 terabits per second. The court-authorized ta

General CTI
CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure
General CTI·

CVE-2026-33017: Critical Langflow AI Platform Flaw Exploited Within 20 Hours of Disclosure

A critical vulnerability in Langflow, a popular open-source AI workflow automation platform, has been actively exploited in the wild within just 20 hours of public disclosure—before any proof-of-concept code was even available. The Vulnerability Tracked as CVE-2026-33017 with a C

AI (General)
Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure
AI (General)·

Critical Langflow AI Platform Flaw CVE-2026-33017 Exploited Within 20 Hours of Disclosure

A critical vulnerability in Langflow, the popular open-source AI workflow platform, has been actively exploited within just 20 hours of its public disclosure—before any proof-of-concept code was even available. The rapid weaponization highlights the shrinking window defenders hav

General CTI
CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse
General CTI·

CVE-2026-3564: Critical ScreenConnect Flaw Enables Session Hijacking Through ASP.NET Machine Key Abuse

ConnectWise has released an emergency patch for a critical vulnerability (CVE-2026-3564) in its ScreenConnect remote access platform that could allow unauthenticated attackers to hijack legitimate sessions by forging authentication credentials using extracted ASP.NET machine keys

General CTI
Interlock Ransomware Exploited Cisco FMC Zero-Day for Six Weeks Before Patch: Amazon Reveals Full Attack Chain
General CTI·

Interlock Ransomware Exploited Cisco FMC Zero-Day for Six Weeks Before Patch: Amazon Reveals Full Attack Chain

Amazon Threat Intelligence has revealed that the Interlock ransomware group exploited CVE-2026-20131—a critical CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center—as a zero-day since January 26, 2026, more than five weeks before Cisco publicly disclosed the flaw o

General CTI
9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors
General CTI·

9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors

Low-cost IP KVM devices—designed to provide remote keyboard, video, and mouse access to physical systems—are introducing catastrophic security risks into enterprise environments. New research from Eclypsium reveals nine vulnerabilities affecting products from GL-iNet, Angeet/Yees

General CTI
54 EDR Killers Exploit 34 Vulnerable Signed Drivers to Disable Security Before Ransomware Deployment
General CTI·

54 EDR Killers Exploit 34 Vulnerable Signed Drivers to Disable Security Before Ransomware Deployment

A comprehensive analysis by ESET has uncovered a thriving ecosystem of endpoint detection and response (EDR) killer tools, revealing that 54 of these specialized programs abuse 34 vulnerable signed drivers to neutralize security software before ransomware attacks. The BYOVD Threa

General CTI
Rapid7 2026 Global Threat Landscape Report: Exploited Vulnerabilities Surge 105% as Attack Timelines Collapse
General CTI·

Rapid7 2026 Global Threat Landscape Report: Exploited Vulnerabilities Surge 105% as Attack Timelines Collapse

Rapid7 has released its 2026 Global Threat Landscape Report, revealing a dramatic acceleration in cyber attack patterns that leaves organizations with shrinking windows to respond to emerging threats. The research demonstrates that the predictive lead time defenders once relied u

General CTI
CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog Amid Active Exploitation
General CTI·

CISA Adds Wing FTP Server Information Disclosure Flaw to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity vulnerability in Wing FTP Server to its Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026, confirming that attackers are actively exploiting the flaw in real-world attacks.

General CTI
Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched
General CTI·

Critical Veeam Backup Vulnerabilities Draw Ransomware Group Attention: Seven CVSS 9.9 Flaws Patched

Veeam has released emergency patches for seven severe vulnerabilities in its flagship Backup & Replication platform, several scoring CVSS 9.9 — the highest possible criticality rating. The flaws enable remote code execution (RCE), privilege escalation, and credential theft by aut

AI (General)
The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks
AI (General)·

The Promptware Kill Chain: A New Framework for Understanding AI Malware Attacks

A groundbreaking research paper by Bruce Schneier and collaborators introduces the concept of “promptware”—a distinct class of malware targeting large language models (LLMs). Moving beyond the myopic focus on prompt injection, the researchers propose a structured seven-step kill

General CTI
Operation Lightning: Global Takedown of SocksEscort Botnet That Enslaved 369,000 Routers in 163 Countries
General CTI·

Operation Lightning: Global Takedown of SocksEscort Botnet That Enslaved 369,000 Routers in 163 Countries

A coordinated international law enforcement operation has dismantled SocksEscort, a criminal proxy service that infected hundreds of thousands of residential routers worldwide to enable large-scale fraud, ransomware distribution, and other cybercrimes. The Scope of the Threat Acc

General CTI
Google Patches Two Chrome Zero-Days Under Active Exploitation: CVE-2026-3909 and CVE-2026-3910
General CTI·

Google Patches Two Chrome Zero-Days Under Active Exploitation: CVE-2026-3909 and CVE-2026-3910

Google has released emergency security updates to patch two high-severity Chrome vulnerabilities being actively exploited in zero-day attacks, affecting an estimated 3.5 billion users worldwide. “Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wi

General CTI
Operation Synergia III: Global Crackdown Takes Down 45,000 Malicious IPs and Arrests 94 Cybercriminals
General CTI·

Operation Synergia III: Global Crackdown Takes Down 45,000 Malicious IPs and Arrests 94 Cybercriminals

In one of the most significant international cybercrime operations to date, INTERPOL has announced the successful conclusion of Operation Synergia III—a coordinated global effort that dismantled critical infrastructure supporting phishing, malware, and ransomware campaigns worldw

General CTI
ShinyHunters Claims 1 Petabyte Data Theft From Telus Digital in Multi-Month BPO Breach
General CTI·

ShinyHunters Claims 1 Petabyte Data Theft From Telus Digital in Multi-Month BPO Breach

Business process outsourcing (BPO) giant Telus Digital has confirmed a major cybersecurity incident after the notorious ShinyHunters extortion group claimed to have stolen nearly one petabyte of data from the company and its customers. The breach, which involved unauthorized acce

General CTI
Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog
General CTI·

Google Patches Two Chrome Zero-Days Actively Exploited in the Wild, CISA Adds to KEV Catalog

Google has released emergency security updates to address two high-severity vulnerabilities in Chrome that are being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV)

General CTI
FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft
General CTI·

FortiGate Devices Exploited as Network Entry Points for Service Account Credential Theft

Cybersecurity researchers have uncovered a sophisticated campaign where threat actors are weaponizing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity, documented by SentinelOne, targets healthcare, government, and manag

General CTI
SAP NetWeaver Critical Zero-Day (CVE-2025-31324) Under Active Exploitation by Initial Access Brokers
General CTI·

SAP NetWeaver Critical Zero-Day (CVE-2025-31324) Under Active Exploitation by Initial Access Brokers

SAP customers are being urged to immediately patch a critical zero-day vulnerability in the Visual Composer component of SAP NetWeaver application server that threat actors are actively exploiting to deploy web shell backdoors. The Vulnerability Tracked as CVE-2025-31324, this un

General CTI
Coruna iOS Exploit Kit: Nation-State Spyware Tools Now Targeting Crypto Wallet Users
General CTI·

Coruna iOS Exploit Kit: Nation-State Spyware Tools Now Targeting Crypto Wallet Users

A powerful iOS exploit kit named “Coruna” has transitioned from elite surveillance operations to financially motivated cryptocurrency theft, signaling a dangerous shift in the mobile threat landscape. From Spyware Vendor to Cybercriminal Hands Google Threat Intelligence Group (GT

General CTI
Global Coalition Dismantles Tycoon 2FA Phishing Platform: 87 Million Emails, 330 Domains Seized
General CTI·

Global Coalition Dismantles Tycoon 2FA Phishing Platform: 87 Million Emails, 330 Domains Seized

Microsoft, Europol, and a coalition of cybersecurity partners have dismantled Tycoon 2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms ever documented, seizing 330 domains used for credential theft and multi-factor authentication bypass. The coordinated takedo

General CTI
Cisco Patches Two Max Severity Secure FMC Flaws Enabling Root Access
General CTI·

Cisco Patches Two Max Severity Secure FMC Flaws Enabling Root Access

Cisco has released critical security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software that could allow unauthenticated remote attackers to gain complete root access to affected systems. Critical Vulnerabilities Overvi

General CTI
Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation
General CTI·

Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation

A sophisticated phishing campaign has been discovered that transforms web browsers into comprehensive surveillance platforms by masquerading as a Google Account security page. According to Malwarebytes researchers, this attack represents one of the most fully-featured browser-bas

General CTI
Hackers Weaponize Claude Code AI to Steal 150GB from Mexican Government in Month-Long Campaign
General CTI·

Hackers Weaponize Claude Code AI to Steal 150GB from Mexican Government in Month-Long Campaign

In a disturbing escalation of AI-enabled cyber operations, hackers have weaponized Anthropic’s Claude Code AI assistant to develop exploits, create custom attack tools, and systematically exfiltrate more than 150GB of data from Mexican government systems, according to Israeli cyb

General CTI
Operation Roar of the Lion: Israel Executes Largest Cyberattack in History Against Iran
General CTI·

Operation Roar of the Lion: Israel Executes Largest Cyberattack in History Against Iran

In an unprecedented display of cyber warfare capability, Israel has executed what is being described as the largest cyberattack in history, plunging Iran into near-total digital darkness during a coordinated military operation on Saturday, February 28, 2026. Near-Total Internet B

General CTI
Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access
General CTI·

Cisco Talos Exposes Three-Year Campaign: UAT-8616 Exploits SD-WAN Zero-Day for Critical Infrastructure Access

Cisco Talos has disclosed the active exploitation of CVE-2026-20127, a critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), by a highly sophisticated threat actor tracked as UAT-8616. The campaign, which dates back at least three years, targets c

General CTI
APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign
General CTI·

APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign

Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation

General CTI
IDMerit Exposes One Billion Personal Records in Massive KYC Database Leak
General CTI·

IDMerit Exposes One Billion Personal Records in Massive KYC Database Leak

Digital identity verification provider IDMerit inadvertently exposed more than one billion personal records across 26 countries after leaving a database unsecured and accessible on the public internet, according to research by Cybernews. Scale of the Exposure The exposed MongoDB

General CTI
AI-Fueled Supply Chain Attacks Surge in Asia-Pacific: Group-IB Report Exposes Self-Reinforcing Cybercrime Ecosystem
General CTI·

AI-Fueled Supply Chain Attacks Surge in Asia-Pacific: Group-IB Report Exposes Self-Reinforcing Cybercrime Ecosystem

Supply chain cyber attacks are reshaping the threat landscape across Asia-Pacific, as criminals and state-aligned groups increasingly use trusted vendors, software components, and service providers as entry points into broader networks, according to Group-IB’s High-Tech Crime Tre

General CTI
287 Chrome Extensions Caught Exfiltrating Browsing History from 37.4 Million Users
General CTI·

287 Chrome Extensions Caught Exfiltrating Browsing History from 37.4 Million Users

A massive data exfiltration operation involving 287 Chrome extensions that secretly steal browsing history from approximately 37.4 million users worldwide has been uncovered by security researcher Q Continuum (alias qcontinuum1). The discovery represents roughly one percent of th

General CTI
Check Point Reveals AI Assistants Can Be Weaponized as Stealthy C2 Proxies for Malware
General CTI·

Check Point Reveals AI Assistants Can Be Weaponized as Stealthy C2 Proxies for Malware

Security researchers at Check Point have uncovered a concerning new attack vector: threat actors can abuse AI assistants like Microsoft Copilot and xAI’s Grok to create covert command-and-control (C2) communication channels that evade traditional security tools. The proof-of-conc

General CTI
2026 Unit 42 Global Incident Response Report: Attacks Now 4x Faster with AI-Accelerated Intrusions
General CTI·

2026 Unit 42 Global Incident Response Report: Attacks Now 4x Faster with AI-Accelerated Intrusions

Palo Alto Networks’ Unit 42 has released their 2026 Global Incident Response Report, analyzing over 750 major cyber incidents across 50+ countries. The findings paint a stark picture of an evolving threat landscape where attacks are faster, broader, and harder to contain than eve

General CTI
ManoMano Data Breach Exposes 37.8 Million Customer Records via Zendesk Third-Party Compromise
General CTI·

ManoMano Data Breach Exposes 37.8 Million Customer Records via Zendesk Third-Party Compromise

European home improvement marketplace ManoMano has confirmed a massive data breach affecting 37.8 million customer accounts after hackers compromised a third-party customer service provider. The breach, which surfaced on cybercriminal forum BreachForums, represents one of the lar

General CTI
Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging
General CTI·

Microsoft Exposes DNS-Based ClickFix Attack: Nslookup Commands Used for Stealth Malware Staging

Microsoft has disclosed a sophisticated new variant of the ClickFix social engineering attack that weaponizes the Windows nslookup command to stage malware through DNS queries, enabling attackers to bypass traditional web-based detection mechanisms. Attack Methodology This DNS-ba

General CTI
CVE-2026-21510: Windows Shell Zero-Day Exploited in the Wild to Bypass SmartScreen Protections
General CTI·

CVE-2026-21510: Windows Shell Zero-Day Exploited in the Wild to Bypass SmartScreen Protections

Microsoft’s February 2026 Patch Tuesday revealed a critical zero-day vulnerability affecting Windows Shell that attackers are actively exploiting to bypass security protections. CVE-2026-21510 carries a CVSS score of 8.8 and allows threat actors to circumvent Windows SmartScreen

General CTI
CVE-2026-1731: Critical BeyondTrust Remote Support Vulnerability Under Active Exploitation
General CTI·

CVE-2026-1731: Critical BeyondTrust Remote Support Vulnerability Under Active Exploitation

A critical pre-authentication command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is now being actively exploited in the wild, with threat actors targeting self-hosted deployments including legacy Bomgar appliances. Vulnerability

General CTI
Critical Unstructured.io Vulnerability CVE-2025-64712 Threatens AI Pipelines at Amazon, Google, and Fortune 1000 Enterprises
General CTI·

Critical Unstructured.io Vulnerability CVE-2025-64712 Threatens AI Pipelines at Amazon, Google, and Fortune 1000 Enterprises

A critical vulnerability (CVE-2025-64712) discovered in Unstructured.io, a widely deployed ETL library for AI data processing, exposes Amazon, Google, Bank of America, and 87% of Fortune 1000 companies to remote code execution attacks. The Vulnerability: CVSS 9.8 Path Traversal L

General CTI
XWorm RAT Campaign Exploits 7-Year-Old Office Vulnerability with Fileless Techniques
General CTI·

XWorm RAT Campaign Exploits 7-Year-Old Office Vulnerability with Fileless Techniques

Fortinet researchers have uncovered a new phishing campaign delivering the XWorm remote access trojan (RAT) by chaining a years-old Microsoft Office vulnerability with fileless execution techniques to evade detection. The Attack Chain The campaign uses business-themed phishing em

General CTI
Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware
General CTI·

Metro4Shell: Critical React Native CLI Vulnerability Actively Exploited to Deploy Malware

Threat actors are actively exploiting a critical remote code execution vulnerability in the popular @react-native-community/cli npm package, impacting countless mobile application developers worldwide. The Vulnerability: CVE-2025-11953 Dubbed Metro4Shell, this critical vulnerabil

General CTI
Google Warns of Sustained Russia and China Cyberattacks Targeting Defense Industrial Base
General CTI·

Google Warns of Sustained Russia and China Cyberattacks Targeting Defense Industrial Base

Google Threat Intelligence Group (GTIG) has published a comprehensive report revealing persistent cyber operations targeting the defense industrial base (DIB) from Russia and China-linked threat actors. The findings detail how state-sponsored hackers are exploiting everything fro

General CTI
BridgePay Ransomware Attack Forces Nationwide Cash-Only Payment Disruption
General CTI·

BridgePay Ransomware Attack Forces Nationwide Cash-Only Payment Disruption

A major ransomware attack on BridgePay Network Solutions has caused a nationwide payment processing outage, forcing merchants across the United States to switch to cash-only operations and disrupting card transactions for municipalities and businesses alike. Ransomware Confirmed

General CTI
Flickr Data Breach Exposes User Information Through Third-Party Email Vendor Vulnerability
General CTI·

Flickr Data Breach Exposes User Information Through Third-Party Email Vendor Vulnerability

Photo and video sharing service Flickr has disclosed a data security incident where user personal information was potentially exposed through a vulnerability at a third-party email service provider. The San Francisco-based platform confirmed on February 5, 2026, that the breach m

General CTI
Ransomware Gangs Abuse ISPsystem VMmanager to Hide Malicious Infrastructure at Scale
General CTI·

Ransomware Gangs Abuse ISPsystem VMmanager to Hide Malicious Infrastructure at Scale

Ransomware operators are increasingly exploiting legitimate virtual infrastructure management platforms to host and deliver malicious payloads at scale, effectively hiding their command-and-control infrastructure among thousands of innocuous systems. The Discovery Researchers at

General CTI
EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach
General CTI·

EnCase Forensic Driver Weaponized: BYOVD Attack Targets 59 EDR Tools Through SonicWall VPN Breach

Security researchers at Huntress have documented a sophisticated intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to deploy a custom EDR killer that abuses a legitimate forensic driver from Guidance Software’s EnCase to terminate security processes

General CTI
AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions
General CTI·

AI-Powered Attack Achieves AWS Admin Access in Under 10 Minutes: A New Era of Automated Intrusions

In a stark demonstration of how artificial intelligence is transforming the cybersecurity threat landscape, the Sysdig Threat Research Team (TRT) has documented a sophisticated cloud intrusion where attackers achieved full administrative control of an AWS environment in less than

General CTI
Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach
General CTI·

Vibe Coding Gone Wrong: Moltbook AI Social Network Exposes 4.75 Million Records in Massive Database Breach

Google-owned Wiz discovers 4.75 million exposed records in AI social network Moltbook, including 1.5M API tokens and plaintext OpenAI keys—all because Row Level Security was never enabled on the “vibe-coded” platform.

General CTI
BreachForums Breach Exposes 324,000 Cybercriminal Identities in Unprecedented Dark Web Leak
General CTI·

BreachForums Breach Exposes 324,000 Cybercriminal Identities in Unprecedented Dark Web Leak

The tables have turned: BreachForums, one of the largest dark web marketplaces for stolen data, has been breached. A disgruntled insider leaked the real identities of nearly 324,000 cybercriminals, including email addresses, IP addresses, and connections to notorious groups like

General CTI
SonicWall Cloud Breach Enables Ransomware Attack on 74 US Banks and Credit Unions
General CTI·

SonicWall Cloud Breach Enables Ransomware Attack on 74 US Banks and Credit Unions

State-sponsored hackers exploited SonicWall’s MySonicWall cloud breach to launch a ransomware attack affecting 74 US banks and credit unions, compromising data of over 400,000 individuals. The attack demonstrates how third-party security breaches can cascade into devastating down

General CTI
Nike Investigates 1.4 TB Data Leak After World Leaks Ransomware Gang Posts Stolen Files
General CTI·

Nike Investigates 1.4 TB Data Leak After World Leaks Ransomware Gang Posts Stolen Files

Nike confirms it is investigating a potential breach after the World Leaks ransomware gang claimed to have stolen 1.4 TB of corporate data. The group, a rebrand of Hunters International, has targeted major organizations including the U.S. Marshals Service and Tata Technologies.

General CTI
WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw
General CTI·

WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw

Google Threat Intelligence reveals widespread exploitation of CVE-2025-8088 by Russian APT groups, Chinese actors, and cybercriminals. The WinRAR path traversal flaw enables payload delivery via the Windows Startup folder, with active campaigns targeting Ukraine, LATAM, and finan

General CTI
Microsoft to Disable 30-Year-Old NTLM Authentication Protocol by Default
General CTI·

Microsoft to Disable 30-Year-Old NTLM Authentication Protocol by Default

Microsoft announces NTLM will be disabled by default in upcoming Windows releases, marking the end of the 30-year-old authentication protocol that has been a persistent security vulnerability.

General CTI
Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation
General CTI·

Ivanti Patches Two Critical EPMM Zero-Day Vulnerabilities Under Active Exploitation

Two critical CVSS 9.8 vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340) are under active exploitation, allowing unauthenticated remote code execution. CISA has added them to the KEV catalog with a February 1 federal deadline.

General CTI
Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion
General CTI·

Ivanti EPMM Zero-Days Actively Exploited: Pre-Auth RCE via Bash Arithmetic Expansion

Two actively exploited pre-auth RCE vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile allow attackers to execute arbitrary commands via Bash arithmetic expansion. CISA has added these to the KEV catalog.

General CTI
SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score
General CTI·

SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

SmarterTools patches critical CVE-2026-24423 (CVSS 9.3) unauthenticated RCE vulnerability in SmarterMail email server. Two other flaws including one under active exploitation also addressed. Update immediately.

General CTI
SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass
General CTI·

SolarWinds Fixes Six Critical Web Help Desk Vulnerabilities Including RCE and Auth Bypass

SolarWinds patches six severe vulnerabilities in Web Help Desk, including four critical flaws (CVSS 9.8) enabling unauthenticated remote code execution and authentication bypass. Organizations should update to WHD 2026.1 immediately.

General CTI
Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready
General CTI·

Fortinet Blocks Actively Exploited FortiCloud SSO Zero-Day Until Patch is Ready

Fortinet confirms CVE-2026-24858, a critical FortiCloud SSO authentication bypass zero-day actively exploited in the wild. The company has blocked FortiCloud SSO from vulnerable devices while patches are being developed.

General CTI
Critical Microsoft Office Vulnerabilities Exploited in Latest Cyber Threat Campaign
General CTI·

Critical Microsoft Office Vulnerabilities Exploited in Latest Cyber Threat Campaign

Security researchers have identified sophisticated attack vectors leveraging Microsoft Office documents to bypass security measures and deliver malicious payloads. Learn about the latest threats and defensive strategies.

General CTI
THIS WEEK IN SECURITY: LOOP DOS, FLIPPER RESPONDS, AND MORE!
General CTI·

THIS WEEK IN SECURITY: LOOP DOS, FLIPPER RESPONDS, AND MORE!

by: Jonathan Bennett Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could cra

Detection
Tool of First Resort: Israel-Hamas War in Cyber
Detection·

Tool of First Resort: Israel-Hamas War in Cyber

Feb 14, 2024 | 4 min read | Sandra Joyce | Shane Huntley READ ARTICLE Cybersecurity plays a critical role in geopolitics — particularly during times of conflict. While offensive cyber operations have become nearly universal, the tactics, timing and objectives of threat actors can

General CTI
Flash Report: LockBit Ends 2023 with Record Number of Attacks
General CTI·

Flash Report: LockBit Ends 2023 with Record Number of Attacks

Read Article Key Findings

Chinese Cyber Threat Intelligence
Hacked in China
Chinese Cyber Threat Intelligence·

Hacked in China

Read Article foreign government’s response to a U.S. strategy document rarely earns front page coverage, but in the case of the Chinese Communist Party’s (CCP) recent reaction to the U.S. government’s new cyber strategy, we should all be paying attention. Tensions continue to esc

General CTI
Financially motivated threat actors misusing App Installer
General CTI·

Financially motivated threat actors misusing App Installer

Read Article Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In

General CTI
Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the GlobeTurkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe
General CTI·

Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the GlobeTurkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe

Read Article Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access. “The analyzed threat campaign appears to end in one of two wa

Business
The Underground Economist: Volume 4, Issue 1
Business·

The Underground Economist: Volume 4, Issue 1

https://www.zerofox.com/blog/the-underground-economist-volume-4-issue-1/ On December 27, 2023, threat actor “APTlord” announced on the dark web forum RAMP that they were selling source code and other information owned by marinetraffic[.]com, which was allegedly obtained by the th